CSOL-570--Network Visualization and Vulnerability Detection, Summer 2018

Introduction


I was introduced to Networking Monitoring tools during Summer 2018 through CSOL- 570 Network Visualization and Vulnerabilities Detection course by Professor Michael K Hallman. CSOL- 570 was my second class of this Cyber Security curriculum. The main goal of this course was to get familiar with tools a cyber engineer can leverage to protect a given information system. The reference book was: McGuerty, J. (2018). Network Field Survival Guide: The Way of the Packet. ISBN: 978-0972894104

 

Understanding Network Visualization and Vulnerabilities Detection were proved invaluable. On the professional level, the learning process involved the need to build a lab and perform a trade study of tools for Network Visualization and Vulnerabilities Detection. This approach enabled me to better understand the need not only for the correct Network Visualization and Vulnerabilities Detection tools but the reason for the overall Cyber Security strategy.

Network Visualization is a network management application tool meant primary, among other tasks, to monitor information technology infrastructures such as network devices, servers, virtual machines, and cloud services and to report on their status.  A network management tool is not optimized to scan a network to detect vulnerabilities; instead, it is there to help a network administrator to know the status of his network overall and pinpoint issues thanks to the application's capabilities. OpenNMS is an example of a Network Visualization application.  Network Vulnerabilities detection, on the other hand, is an application deployed in network infrastructure to scan for vulnerabilities usually against a known database such as CVE or NVT and to report upon them.  OpenVAS is an example of a Network Vulnerabilities Detection application. Some tools, however, can combine several features by using extensions to expand their traditional functions. It is not uncommon to find products supporting both visualization and vulnerabilities scanning and more features.

Having a network equipped with network visualization and vulnerabilities scanning tools is a paramount prerequisite to the success of the overall Cyber Security strategy. Network visualization, as in a ship, will act as a compass to help determine the status of the network while the vulnerability capability will help the organization to be proactive in detecting vulnerabilities earlier so fix can be provided on time. Most of the network visualization tools provide logging capabilities that are important to cyber defenders. In lack of this, attackers can hide their malicious software, location, and activities on the victim machines. And logging also can serve as a record of evidence of a successful attack. On the vulnerability side, cyber defenders are facing a constant stream of new information which may require some actions from them. These include but not limited to patches, threat bulletins, software updates, and so forth. If there is no process or tool to address these issues, the chances are that attackers will take advantage of this security gap and will expose the network infrastructure to great risks.

It is a big mistake to wait to address an issue until some cyber incidents that could have been prevented strike. A Cyber Security professional in the course of his professional career should be at the forefront of this simple security prevention mechanism especially when given the opportunity of implementing a cybersecurity plan. He should ethically plan in putting in place a fair process to select the more appropriate products based on the company's realities. The ethical notion should encompass the concern of selecting products with the right price and the right features set to reach a stated goal. Furthermore, based on the Center for Internet Security, CIS (n.d.), Network Visualization, and Vulnerability Detection are part of the top 20 critical controls for effective cyber defense. The California Attorney General (2016) has made the 20 top controls as minimum requirements for companies doing business in California. According to Harris, Kamala D., California Attorney General, "The 20 controls in the Center for Internet Security’s Critical Security Controls define a  minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security. " pg 30.


In this document are a trade study where the best tool for Network Visualization and Network Vulnerability was to be chosen and some understanding of the other aspect of other Cyber Security modules for their professional and ethical application.


Common terms


CVE: Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures system provides a reference-method for publicly known information-security vulnerabilities and exposures. The National Cybersecurity FFRDC, owned by The MITRE Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security


NVT: Network Vulnerability Tests.

NVT is more OpenVAS proprietary. NVTs are test routines that check for the presence of a vulnerability on a target system. OpenVAS coordinates the execution of many of such tests to many target systems and collects the results.


Trade Study Description

 

Common knowledge of both trade studies


During the seven weeks of this course, I have been asked in two of the seven assignments not only to first select a network visualization tool, second, a network vulnerability assessment tool but also to come up with a logical mechanism of selecting them. Here is a summary of the process behind that exercise with some corrections, as I have learned more in the process.


Scoring Mechanism and Formulae


The scoring system I adopted is the one that gives some marks based on what the software provides. That score is from 0 to 10 for each criterion with 0 being the lowest or no support provided while 10 means full support. Let take an example of the criterion that is related to cost. Providers of the tools choose either to offer it completely free, and this is the case for OpenVAS. In this case, the score on these criteria will be 10. On the other hand, Nessus Home is a limited free version to 16 hosts only, and because of this limitation trick, the score for the cost is much lower. Each criterion has a defined weight based on what I think is important as a goal for my limited LAB environment. Weight can change if my lab expands to include more nodes.


To perform a scientific selection, I defined some parameters as it can be seen in Table A. These parameters are common for both studies and were applied during the final selection. Each parameter has a description of what it does. The raw score is based on a range of values from 0 to 10 for each criterion I defined in this study. 0 is the lowest value a tool can receive, while 10 is the highest. 

 

For example, OpenVAS scores 10 as its raw score value for its support for Web management while it receives only 8 for documentation. The Weighted Score Value, on the other hand, represents the weight or how much a given criterion worth compared to the rest. The total value for all Weighted Score Value must be 100%. The combination of the Raw Score (RS), the Weighted Score Value (WSV), and the maximum score (MS) allowed me to calculate precisely the Weighted Score for each Tool per criterion.


Formulae to calculate the Criteria Weighted Factor, CWF, for each value of the Weighted Score Value is:
CWF = WSV /MS


Formulae to calculate the Weighted Score (WS) per given criterion per tool is: WS = RS x CWF

Table 1: Common Values

common_data.PNG

Overview


Since I could not install on a machine every single tool I'm planning to study, the first step after defining the criteria was to search for tools and listing the top 5, 10, 20 best Network Vulnerability tools. I will read a summary of each and proceed by elimination by rejecting the most non-interesting ones.
 

Purpose


With the ever-increasing threats in cybersecurity today so is the greater need to perform regular vulnerability assessments. A cybersecurity expert needs to look for some tools to scan his network and get some results. While this appears to be unavoidable, the tool should provide a comprehensive set of features at a low cost. Hence the need to do a trade study to help in deciding on the more appropriate based on business circumstances.
 

Scope


Both studies are more limited to the scope of a virtual LAB that has only 4-5 hosts but with the potential to expand.


Network Visualization tool
 

Selection Criteria


To reach my goal of selecting the appropriate tool for Network Visualization of my Virtual Network LAB, the following are the criteria I used:


(a). Cost
The tool must be free, open-source to lower the cost of acquisition
(b). Usability
Be able to access the management interface via a web browser, ease of use
(c). Supportability
Rich online help by the community of users, ease to update, active development
(d). Functionality
Besides basic features, I evaluated extra features as well (Identify Nodes, pathways, and services, Capable of producing diagrams that show connectivity)
(e). OS Platform
Need to work on Linux Operating System


Trade Study Mechanism

   
Using Google, I searched for the top 20 Visualization tools that are free, open-source. From that list, I proceed further by eliminating the obvious ones that were not appealing, too complex, or are not Linux compatible. I also eliminated the ones that say they are free only to realize they are so limited in what they can do with the free version. I thought I did not need a matrix for eliminating those obvious ones; it would have made the study a bit too complex. The following is an example of that list: Inflow, Meerkat, Spiceworks, Pajek, Cytoscape, etc.  Following this preliminary selection, I retained four tools: OpenNMS, NetMiner, Zabbix, Gephi.

 

Since I wanted to focus more on selecting two tools for the final round, I defined some criteria to eliminate two and to retain the remaining. Here is the table I used to select those two tools. I wanted a tool that web management interface, supports Linux, and Affordable if not free. And based on these criteria, OpenNMS Horizon and Zabbix were selected for the final round.

Table 2: Round 2

visualizaion_02.PNG

Final Tool Selection


Based on the formula defined in the 1.1 Common knowledge to both trade studies, I managed to select the best tool for my network, as described in the following table.

Table 3: Final Visualization Tool selection

visualizaion_01.png

Results


As you can see, Zabbix, with an aggregate Weighted Score of 94.7, was declared the winner. Hence, the application I downloaded and installed in my Kali Linux box.
 

Vulnerability Assessment tool


Selection Criteria


To reach my goal of selecting the appropriate tool for Network Vulnerability scan of my Virtual Network LAB, the following are the criteria I used:


(a). Features Set/Reporting
The tool should provide a set of features to make it relevant to the reporting task.


(b). Usability (compatibility with CVE, NVT)
Compatibility to CVE is important, and the wider is, the better since I will be testing the vulnerabilities against a known database, which is CVE or NVT. OpenVAS, for example, has a database supporting 111070 CVEs, 275304 CPEs, and 46496 NVTs.


(c). Cost (Free and or Open Source)
Since I do not have that much budget, open-source, and the free tool was very appealing and weighted heavily on choosing the tool needed for my LAB network.


(d). Web Interface                 
Provide a way to manage the tool via a web browser so that it can be run from any PC with access to the same subnet.


(e). Documentation
Supporting online documentation


(f). Update/Support
How frequently the tool is updated and supported; is the tool has active development?


Trade Study Mechanism


My launching pad for this study was the use of a search engine to search for Network Vulnerability tools.  Using the DuckDuckGo search engine, I searched for the top Vulnerability tools that are free or low cost. This site I ended up was http://sectools.org/tag/vuln-scanners/. From that list, I proceed further by eliminating the obvious ones that were not appealing, too complex, or were cloud-based. The list produced 8 tools that were qualified for the first round of selection.

 

During this first round, I used two high-level criteria to select and eliminate tools. The tool affordability, and the Linux compatibility. The affordability is to eliminate any product that is just too expensive to go with; Linux compatibility is a must in my learning phase to gain more familiarity with Kali Linux and the Linux OS in general. With this process, I was able to isolate two tools that needed further scoring prior settling to one, OpenVAS and Nessus Home. 

Table 4: Two Vulnerability Assessment Selection Tool

vulnerabilty_selection.png

Final Tool Selection

Based on the formula defined in the introduction, I managed to select the best tool for my network, as described in the following table:

Table 5: One Vulnerability Assessment Selection Final

vulnerabilty_selection1.png

Results
As you can see, OpenVAS, with an aggregate Weighted Score of 88.3, was declared the winner. Hence, the application I downloaded and installed in my Kali Linux box.


​Application


The lesson about Network visualization and vulnerability assessment will not be complete without going through hands-on experience. To this end, I put together a virtual LAB to which I installed some tools and executed some tests. I called this virtual LAB Victor Masivi Cyber Defense Virtual LAB. It was a VirtualBox based LAB with the host being a Windows 10 Professional, BAZOKA. I then installed four guest machines: Metasploitable, OWASP, Kali Linux, and another Linux box running Zabbix network visualization application. Some other network devices were attached. Below is the diagram of the Virtual LAB.

Fig. 1: Virtual LAB Diagram

network_topology_bzk.png

I conducted several tests against the virtual LAB, but as part of this document, I will comment a bit on Metasploit, which I find very interesting to exercise on penetration testing.

Metasploit is an open-source project that provides the infrastructure, content, and tools to perform penetration tests and security auditing (Rapid7, Metasploit Framework Getting Started). But, based on my understanding, Metasploit can be defined as a set of modules one can use to do penetration testing. Users can access these modules from a msfconsole, msfcli, or Armitage. With msfconsole, you can launch the console interface with msfconsole command from Kali Linux CLI and get it ready to use several modules with the “use” command.

 
For example, if I decide to do a port scan, I can use Metasploit "SYN" module with the following command:
use auxiliary/scanner/portscan/syn.
After executing this command, I can check the options the module is offering and adjust my settings to perform a task better.

msf auxiliary(scanner/portscan/syn) > show options


Vulnerability Exploiting

This step is an instance where vulnerability is discovered, and now it can be exploited. In this exercise, I will exploit the vulnerability in samba that was left unpatched in Metasploitable virtual machine

Backdoor using Samba
Samba, when configured with a writeable file share and "wide links" enabled, can also be used as a backdoor of sorts to access files that were not meant to be shared. The example below uses a Metasploit module to provide access to the root filesystem using an anonymous connection and a writeable share. This process is a three steps operation:

 

(a). List all shares
root@kali:~# smbclient -L //192.168.156.91
And using the following command smbclient //192.168.156.91/tmp, I could navigate through the directory structure from the tmp folder. But before exploiting the vulnerability, there was no rootfts subfolder under tmp as it can be noted in the screenshot below.

Fig. 2: Samba listing

smblient.png

 

(b). Exploiting the vulnerability

Let now exploit the vulnerability using

Metasploit.msf > use auxiliary/admin/smb/samba_symlink_traversal

Fig. 2: Exploiting Samba

msfcondole_samba_01.png

(c). Mapping
Now let map the shared folder tmp, and again run the command smbclient //192.168.156.91/tmp to see if the mapping is complete. And, based on the screenshot below, I was effectively able to map after exploiting the vulnerability

Fig. 3: Result of exploitation

smbclient_03.png

Reference Library

Reflection

Network visualization and Vulnerabilities detection course have a very high-value proposition to any aspiring cyber professional, and the way it communicated to us was very effective and contributed heavily to our learning experience. We were asked to build our virtual labs to which we loaded different guest machines. One of these machines was the Metasploit, a machine loaded with so many vulnerabilities and proved to be invaluable to get familiarity with the concept of penetration testing. Having a virtual environment to play with no risk of breaking anything was a very good learning approach that builds the professional aspect of a cyber engineer. Having to experience hacking through the use of the Metasploit penetration testing framework put an aspiring cyber engineer at the center of the action.

Metasploit was not the only skill we acquired; we exercised with the Kismet tool, which is another heavy hitter in the area of Wireless Intrusion Detection. With a special wireless adapter connected to a Kali Linux, we learned how to sniff wireless traffic. All this learning was a reminder of the ethical aspect necessary to cyber engineers. These tools, for the most part, are the same black hat hackers use to commit their ill intent. Hacking has grown with a negative connotation where, unfortunately, it is being understood as a bad activity by the mainstream, but unless the perpetrator is compromising a system without the owner's permission, hacking is not illegal. This course is where I have learned that conducting penetration testing can only be done with the system owner's consent. Outside of this boundary, it becomes illegal.

All the different tools used during the course contributed to learning outcomes: how to identify threats, assess how to employ security protocols to secure a network, the use of WireShark effectively using examples such us examining encrypted and unencrypted traffic. Also, the trade study for a mechanism of selecting a product has taught us a more scientific approach in acquiring security tools for an organization. This skill contributed not only to develop a more professional way to select a buy a product but ethically sound since the selection is based with some objectivity. With this, when recommending a product to company management, it is done with a logic that can be articulated to upper management when in quest of Identifying appropriate security tools to safeguard networks. In an environment with a lot of offers, it is important to have in place a proven method of selecting products, and I thought the trade mechanism we went to is very effective.